Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Nov 2004 11:35:05 +0300
From:      Martes Wigglesworth <martes.wigglesworth@earthlink.net>
To:        David Roberts <dtrobert@pacbell.net>
Cc:        ipfw-mailings <freebsd-ipfw@freebsd.org>
Subject:   Re: upgrading from 5.2.1 to 5.3 broke my ipfw
Message-ID:  <1100248505.826.6.camel@Mobile1.276NET>
In-Reply-To: <20041112065715.4EEE743D49@mx1.FreeBSD.org>
References:  <20041112065715.4EEE743D49@mx1.FreeBSD.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--=-PEZycNUkMrBPNLxfFGGn
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

That is really a problem. I have seen more broken stuff with 5.3, than
with 5.2.1, than I care to complain about. 

The way that the default-accept option is supposed to work, is that your
default 65535 rule is allow ip from any to any.  Your experience is not
normal.  You rules should apply to something.
Have you tried doing a /etc/netstart?  I used to get ignored
functionality, when my routing table was querky, due to dhcp or
something else.  The main issue is that your rule is saying one thing,
and not doing the displayed functionality.  That is something that you
may want to put to the Current list.

I am not an expert, however, I have bumped into erronious-user land many
a time, with BSD, and I have experienced such functionality, with the
exception of the ficticious default rule.(Please excuse spelling)  You
may want to fetch the newest CVSUP'd src and recompile the kernel, with
a new version of the config file, and all. I have found that an
unreliable source can cause this wierdness, aswell.
-- 
Respectfully,


M.G.W.

System:
Asus M6N 
Intel Dothan 1.7
512MB RAM
40GB HD
10/100/1000 NIC
Wireless b/g (not working yet)
BSD-5.2.1
GCC-3.3.5/3.3.3(until I replace indigenous gcc)
IFORT-for linux(Intell Fortran)
gfortran
python-2.3
Perl-5.6.1/5.8.5
Java-sdk-1.4.2_5
KDE-3.1.4

--=-PEZycNUkMrBPNLxfFGGn
Content-Disposition: inline
Content-Description: Forwarded message - upgrading from 5.2.1 to 5.3 broke
	my ipfw
Content-Type: message/rfc822

Status: U
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Received: from mx2.freebsd.org ([216.136.204.119]) by
	mx-a065a10.pas.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id
	1csvnh4Gn3NZFpB0 for <martes.wigglesworth@earthlink.net>;
	Thu, 11 Nov 2004	22:57:35 -0800 (PST)
Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by
	mx2.freebsd.org (Postfix) with ESMTP id 907C455AAA; Fri, 12 Nov 2004
	06:57:18 +0000 (GMT) (envelope-from owner-freebsd-ipfw@freebsd.org)
Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org
	(Postfix) with ESMTP id DEEF916A4D8;
	Fri, 12 Nov 2004 06:57:17 +0000 (GMT)
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by
	hub.freebsd.org (Postfix) with ESMTP id 74AC316A4CE for
	<freebsd-ipfw@freebsd.org>; Fri, 12 Nov 2004 06:57:15 +0000 (GMT)
Received: from smtp804.mail.sc5.yahoo.com (smtp804.mail.sc5.yahoo.com
	4EEE743D49 for
	<freebsd-ipfw@freebsd.org>; Fri, 12 Nov 2004 06:57:15 +0000 (GMT)
	(envelope-from dtrobert@pacbell.net)
Received: from unknown (HELO MADAGASCAR)
	(dtrobert@pacbell.net@69.107.12.181 with login) by
	smtp804.mail.sc5.yahoo.com with SMTP; 12 Nov 2004 06:57:14 -0000
From: "David Roberts" <dtrobert@pacbell.net>
To: <freebsd-ipfw@freebsd.org>
Date: Thu, 11 Nov 2004 22:57:12 -0800
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcTIhNWIGdUImtd9SgmSlhEhVuFUBA==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-Id: <20041112065715.4EEE743D49@mx1.FreeBSD.org>
Subject: upgrading from 5.2.1 to 5.3 broke my ipfw
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>;
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
Sender: owner-freebsd-ipfw@freebsd.org
Errors-To: owner-freebsd-ipfw@freebsd.org
X-ELNK-AV: 0
Content-Transfer-Encoding: 7bit

Hi,
 I have been using ipfw for some time now and recently upgraded from 5.2.1
to 5.3. My firewall immediately started blocking me even from pinging
localhost.  

I also noted an error around an ipfw log entry I had and commented it out. 
I checked online and saw an IPFIREWALL_DEFAULT_TO_ACCEPT and figured I'd
give it a try since I was always frustrated that flushing my rules would
bump me off. I rebuilt the kernel and now I have the opposite problem,
eveything is allowed no matter what my rules say. 

My kernel opts are now 
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options IPFIREWALL_DEFAULT_TO_ACCEPT

After flushing ipfw I get

# ipfw show
65535 67836 20914281 deny ip from any to any

I even added another deny rule but everything is still allowed. Does that
option just disable my firewall entirely?

My #ipfw show after running my firewall.rules is:

00100     0        0 allow ip from 127.0.0.1 to any keep-state
00200     0        0 allow ip from 192.168.1.0/28 to any keep-state
00300     0        0 allow ip from <myip> to any keep-state
00400     0        0 deny ip from 192.168.1.0/28 to any in via fxp0
00500     0        0 deny ip from any to 172.16.0.0/12 via fxp0
00600     0        0 deny ip from any to 192.168.0.0/16 via fxp0
00700     0        0 deny ip from any to 0.0.0.0/8 via fxp0
00800     0        0 deny ip from any to 169.254.0.0/16 via fxp0
00900     0        0 deny ip from any to 192.0.2.0/24 via fxp0
01000     0        0 deny ip from any to 224.0.0.0/4 via fxp0
01100     0        0 deny ip from any to 240.0.0.0/4 via fxp0
01200     0        0 deny ip from 172.16.0.0/12 to any via fxp0
01300     0        0 deny ip from 192.168.0.0/16 to any via fxp0
01400     0        0 deny ip from 0.0.0.0/8 to any via fxp0
01500     0        0 deny ip from 169.254.0.0/16 to any via fxp0
01600     0        0 deny ip from 192.0.2.0/24 to any via fxp0
01700     0        0 deny ip from 224.0.0.0/4 to any via fxp0
01800     0        0 deny ip from 240.0.0.0/4 to any via fxp0
01900     0        0 allow tcp from any to <myip> dst-port 80 setup
02000     0        0 allow tcp from any to <myip> dst-port 22 setup
keep-state
02100     0        0 allow tcp from 192.168.1.0/28 to any setup
65535 70851 21336238 deny ip from any to any

Thanks

David

_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"

--=-PEZycNUkMrBPNLxfFGGn--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?1100248505.826.6.camel>